7 things you didn’t know about pcapr

November 30, 2009 by kowsik

As we approach the 1 year anniversary of pcapr, we were looking back to see how it has evolved. As a company that tests pretty much everything under the sun that has an IP stack, we deal with pcaps for all kinds of protocols. These pcaps were being littered around in public shares, wiki attachments, emails, internal mailing lists and blogs. Turns out we were not the only ones. The broader community and our customers were having similar problems. So it really started out as a way to organize a large collection of pcaps for us and the broader community. Hence the r in pcapr, which stands for repository. But thanks to the community feedback and contribution, pcapr has become a whole lot more than just a repository.

Here are some capabilities on pcapr that you may not be aware of:

DoS

As I write this blog, pcapr has over 310K packets! Soon after we launched, we released mudos, a standalone D/DoS generator that used a JSON configuration to model the transport, the payload and the pattern. You can read more about mudos in our earlier blog on D/DoS Testing Network Applications. With mudos you can easily convert any one of the 310K packets into a D/DoS configuration for our testing.

Drafts

As we kept adding new applications on pcapr, the community wanted a private repository to upload, edit and manage the pcaps without the whole world knowing about it. Hence the drafts. With Drafts, each pcapr user gets to stash away up to 5 pcaps that are completely hush-hush. These don’t show up in the searches, allows the user to edit, rewrite and reorder packets and also delete these pcaps.

Cap’r Mak’r

Cap’r Mak’r (Are you a Zeppelin fan or what?) was released in March 2009 as a way to create pcaps from content. If you are testing DPI, firewall, IPS or a UTM, you often have to validate the content within protocols against your signatures. Cap’r Mak’r solves this problem by creating new pcaps from any type of content. We’ve since added SMTP and POP3 as wrapper protocols within which you can insert attachments and get new pcaps. No more setting up servers and tcpdump’ing your way to victory.

Content Extraction

Face it, every packet geek wants to read emails, extract web pages and images that are deeply buried within the pesky packets. When it comes to HTTP, there’s also the gzip Transfer-Encoding to worry about. Given that browsers are the applications these days, pcapr harnesses the power of the browser to unzip and inflate HTTP attachments with just a couple of clicks. You can see content extraction in action with turkey-in-packets, where we managed to stuff a turkey within a pcap. Can you find it and extract it?

Field Index

With over 2300+ pcaps, you have to figure out a way to find a pcap that has a specific field within a packet. Well, not only did we index the protocols, description and name of the pcaps, we also indexed all of the unique Wireshark fields within those packets. This means you can rapidly find a pcap with that specific field. Turns out this also gives us a sense for the overall protocol coverage.

Forensics

This is the big bad one. With over 51 million packets, we launched Collaborative Network Forensics in August 2009 by indexing a large number of publicly available pcaps so that our users can browse through them, annotate interesting packets and do full-text search on all those packets. This, by far, makes pcapr the largest online repository of packets! You can search and extract in real-time, not to mention involve the broader community to help you find the hidden IRC channels on random ports. ;-)

Trends

This is classic-web-2.0-meets-packets. pcapr user Tyson Key broke some records this year by uploading over 700 pcaps within a short amount of time. To unravel all of this data and how it helps you understand the meaning of 42, we launched Trends as a way to visualize 5-dimensional data within pcaps.

So next time you think packets, we would highly recommend that you check out pcapr. With a growing active community of packet geeks, we hope to accomplish even more in 2010. Do let us know how we can help make sense out of packets!

Categories: pcapr
980 Comments
Bookmark and Share